DATA PROTECTION ACT 2018 AND UK GENERAL DATA 
PROTECTION REGULATION 


REPRIMAND 


The Information Commissioner (the Commissioner) issues a reprimand to 

South Tees Hospitals NHS Foundation Trust (the Trust) in accordance with 
Article 58(2)(b) of the UK General Data Protection Regulation in respect of 
certain infringements of the UK GDPR. 


The proposed reprimand 


The Commissioner has decided to issue a reprimand to the Trust in 
respect of the following infringements of the UK GDPR: 


e Article 5 (1)(f) of the UK GDPR which states, “appropriate technical 
and organisational measures to be taken against unauthorised or 
unlawful processing of personal data and against accidental loss or 
destruction of, or damage to, personal data.” 


e Article 5 (1)(d) of the UK GDPR which states, “accurate and, where 
necessary, kept up to date; every reasonable step must be taken to 
ensure that personal data that are inaccurate, having regard to the 
purposes for which they are processed, are erased or rectified 
without delay.” 


The reasons for the Commissioner’s findings are set out below. 


Representations made by the Trust have been acknowledged and have 
been considered prior to the issuing of this reprimand. 


The incident occurred when a Trust administrator 
sent a standard letter to inform the father of a child patient of an 
appointment made for the child to attend hospital for a medical 
examination. The appointment letter was sent to the wrong address. 


The letter was sent to the address of family of the child’s mother, 
Though only basic details were included in the 
was 


letter, a leaflet with advice 
included in the envelope with the letter. This 
caused significant distress to the 


father, child and to the family. 


From the information seen during the investigation, the Trust has not 
provided evidence of a formal documented process or procedure, in use at 
the time of the incident, to ensure that regular updates of patient details 


were made on the e-Camis system using the NHS Spine to ensure the 
accuracy of the data held by the Trust. It was a concern that only if a 
patient had recently attended for an appointment would the Trust’s e- 
Camis system have been updated. 


Therefore, there was an inherent risk that the e-Camis system did not 
reflect accurate patient information available to the Trust via the NHS 
Spine. This risk should have been considered by the Trust and a clear 
written procedure put in place to ensure steps were in place to mitigate 
this risk and ensure the correct contact details were used. 


Evidence has also shown that there was no process to inform staff of 
checks that may be necessary when using information from referral 
letters or the NHS Spine, particularly when sending correspondence that 
may be more sensitive than usual. If such a process had been provided 
for staff, it would have gone some way to mitigate the risk of e-Camis not 
being accurate. 


From information provided during the investigation, the emphasis of the 
Trust was always on the Trust’s three-point check that is in place for 
checking personal details against e-Camis. This may be sufficient when 
handling general correspondence. However, by the Trust’s own admission, 
that check would not have ensured that this breach would not have 
occurred. 


It was a concern that nothing was seen that pointed to staff being made 
fully aware of all checks that should be made in all situations when 
dealing with particularly sensitive information. 


An amended Information Governance Protocol (the protocol) has been 
provided by the Trust. This includes some guidance for staff going 
forward. This accompanied by further training and formal guidance may 
help ensure that incidents of this nature would be less likely to occur in 
future. However, there has been no evidence seen that any similar 
measures were in place at the time of the incident. 


Therefore, although the Trust has said that this incident was caused by 
human error, there has been no evidence seen that the Trust fully and 
appropriately prepared staff for their role in dealing with correspondence 
that was particularly sensitive. More effective preparation would have 
mitigated against the possibility of human error. 


The result of the breach lead to significant distress being caused to the 
child and their family. 


Mitigating factors 


Although appropriate measures were not in place to ensure that staff 
were aware of all the checks that should be taken, it is noted that the 
Trust's overarching data protection training for staff was sufficient and 
conformed to a national standard for the NHS. The Trust has stated that it 
would provide refresher training for staff following the incident. 


It was also noted that the Trust provided more than one apology to the 
father of the child in the immediate aftermath of the incident which may 
have helped in convincing the father to allow the child to continue with 
the medical examination. 


Remedial steps taken by South Tees Hospitals NHS Foundation Trust 


The Commissioner has considered and welcomes the remedial steps taken 
by the Trust in the light of this incident. In particular, the decision by the 
Trust to implement a new Standard Operating Procedure (SOP) for the 
checking and updating personal information held on systems not linked to 
the Spine. 


Decision to issue a reprimand 


In conclusion, the Trust failed to ensure that the personal data it held for 
the child patient in this case was accurate. It also failed to ensure the 
integrity and confidentiality of the personal data it held for the child. 
Therefore, the Trust infringed both Article 5 (1)(d) and Article 5 (1)(f) of 
the UK GDPR. 


Taking into account all the circumstances of this case, including the 
mitigating factors and remedial steps, the Commissioner has decided to 
issue a reprimand to the Trust in relation to the infringements of Article 5 
(1)(d) and Article 5 (1)(f) of the UK GDPR set out above. 


Further Action Recommended 


The Commissioner recommends that the Trust should take certain steps 
to ensure its compliance with UK GDPR. 


1. In order to ensure the Trust’s compliance with Article 5 (1)(d) and 
Article 5 (1)(f), the Trust should ensure that the new SOP, including 
the additional checks are implemented as soon as possible. 


2. The Trust should also ensure that other remedial measures stated in 
its response to the Commissioner’s enquiries are fully implemented 
as soon as possible. Including, administration and secretarial staff 
repeating Data Security and Protection training, 


3. In order to ensure compliance with Article 5 (1)(f), the Trust should 
ensure that all staff who may deal with correspondence, are trained 
in a process to ensure that full and proper checks of patient details 
are made against the NHS Spine to prevent reoccurrence of further 
incidents. 


4. In order to ensure compliance with Article 5 (1)(d), the Trust should 
ensure that the e-Camis system is regularly updated and checked 
against the NHS Spine to reflect accurate patient information. 


